am61 webseal admin
TRANSCRIPT
WebSEAL Administration Guide
WebSEAL Administration Guide
and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2002, 2008. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM
server task throttle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
server task virtualhost delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 server
task
virtualhost
list
Appendix D. Support information . . . . . . . . . . . . . . . . . . . . . . . 1013 Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Searching information centers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Determining the business impact . . . . . . . . . . . . . . . . . . . . . . . . . . 1015 Describing problems and gathering information . . . . . . . . . . . . . . . . . . . . . 1016
Submitting problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
About this publication
Welcome to the IBM® Tivoli® Access Manager for e-business WebSEAL Administration
Guide.
IBM Tivoli Access Manager WebSEAL is the resource manager for Web-based
resources in a Tivoli Access Manager secure domain. WebSEAL is a high
performance, multi-threaded Web server that applies fine-grained security policy to
the protected Web object space. WebSEAL can provide single signon solutions and
incorporate back-end Web application server resources into its security policy.
This administration guide provides a comprehensive set of procedures and
reference information for managing the resources of your secure Web domain. This
guide also provides you with valuable background and concept information for the
wide range of WebSEAL functionality.
IBM® Tivoli® Access Manager is the base software that is required to run applications in the Tivoli Access Manager product suite. This base software enables
the integration of Tivoli Access Manager applications to provide a wide range of authorization and management solutions. Sold as integrated products, these
applications can provide an access control management solution to centralize
network and application security policy for e-business applications.
Intended audience
This guide is for system administrators responsible for configuring and
maintaining a Tivoli Access Manager WebSEAL environment.
Readers should be familiar with the following:
v PC and UNIX® or Linux® operating systems
v Database architecture and concepts
v Security management
v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and
Telnet
v A supported user registry
v Authentication and authorization
If you are enabling Secure Sockets Layer (SSL) communication, you also should be
familiar with SSL protocol, key exchange (public and private), digital signatures,
cryptographic algorithms, and certificate authorities.
What this publication contains
Part
1:
Administration
v Chapter 1, “IBM Tivoli Access Manager WebSEAL overview,” on page 3
v Chapter 2, “Server administration,” on page 21
Part
2:
Configuration
© Copyright
IBM
Corp.
2002,
2008
xxix
v Chapter 4, “Web server response configuration,” on page 79
v Chapter 5, “Web server security configuration,” on page 111
Part
3:
Authentication
v Chapter 8, “Advanced authentication methods,” on page 179
v Chapter 9, “Post-authentication processing,” on page 215
v Chapter 10, “Password processing,” on page 223
v Chapter 11, “Credential processing,” on page 235
v Chapter 12, “External authentication interface,” on page 249
Part 4: Session State
v Chapter 15, “Failover solutions,” on page 285
v Chapter 16, “Session state in non-clustered environments,” on page 311
Part 5: Session Management Server
v Chapter 17, “Session management server (SMS) overview,” on page 327
v Chapter 18, “Quickstart guide for WebSEAL using SMS,” on page 333
v Chapter 19, “Configuration for WebSEAL using SMS,” on page 339
Part 6: Authorization
v Chapter 21, “Key management,” on page 375
Part 7: Standard WebSEAL Junctions
v Chapter 22, “Standard WebSEAL junctions,” on page 389
v Chapter 23, “Advanced junction configuration,” on page 411
v Chapter 24, “Modifying URLs to junctioned resources,” on page 441
v Chapter 25, “Command option summary: Standard junctions,” on page 467
Part 8: Virtual Hosting
v Chapter 26, “Virtual host junctions,” on page 481
v Chapter 27, “Command option summary: Virtual host junctions,” on page 507
Part 9: Single Signon Solutions
v Chapter 28, “Single signon solutions across junctions,” on page 519
v Chapter 29, “Windows desktop single signon,” on page 547
v Chapter 30, “Cross-domain single signon,” on page 565
v Chapter 31, “E-community single signon,” on page 581
Part
10:
Deployment
v Chapter 33, “Application integration,” on page 623
v Chapter 34, “Dynamic URLs,” on page 641
v Chapter 35, “Attribute retrieval service reference,” on page 655
v Chapter 36, “Authorization decision information retrieval,” on page 665
Appendix
v Appendix A, “Guidelines for changing configuring files,” on page 675
v Appendix B, “Stanza reference,” on page 679
v Appendix C, “Command reference,” on page 943
Publications
This section lists publications in the IBM Tivoli Access Manager for e-business
library and related documents. The section also describes how to access Tivoli
publications online and how to order Tivoli publications.
IBM Tivoli Access Manager for e-business library
Review the descriptions of the Tivoli Access Manager library, the prerequisite
publications, and the related publications to determine which publications you
might find helpful. After you determine the publications you need, refer to the
instructions for accessing publications online.
Additional information about the Tivoli Access Manager for e-business product
itself can be found at the following Web address:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus
The Tivoli Access Manager library is organized into the following categories:
v “Release information”
v “Administration documentation”
v “Problem determination documentation” on page xxxiii
v “Performance tuning documentation” on page xxxiii
Release information v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501-00
Provides information about installing and getting started, system requirements, known installation and configuration problems, and problem workarounds.
Installation and upgrade documentation v
IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502-00
Explains how to install and configure Tivoli Access Manager for e-business.
v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503-00
Explains how to upgrade to Tivoli Access Manager for e-business version 6.1.
v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-8174-00
Provides a high-level overview of a Tivoli Access Manager for e-business version
6.1 installation.
About this
Describes the concepts and procedures for using Tivoli Access Manager. Provides
instructions for performing tasks from the Web Portal Manager interface and by
using the pdadmin utility.
v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide,
SC23-6505-00
Provides background material, administrative procedures, and technical
reference information for using WebSEAL to manage the resources of your
secure Web domain.
v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration
Guide, SC23-6506-00
the IBM WebSphere® Edge Server application.
v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration
Guide, SC23-6507-00
securing your Web domain using a Web server plug-in.
v IBM Tivoli Access Manager for e-business: Shared Session Management Administration
Guide, SC23-6509-00
management server.
v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User’s Guide, SC23-6510-00
Provides information for network or system security administrators who plan to
enable SSL communication in their Tivoli Access Manager environment.
v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511-00
Provides information about configuring and managing audit events using the
native Tivoli Access Manager approach and the Common Auditing and
Reporting Service. Information about installing and configuring the Common Auditing and Reporting Service that can be used for generating and viewing
operational reports is also provided.
Reference documentation v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512-00
Provides reference information about the commands, utilities, and scripts that
are provided with Tivoli Access Manager.
v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513-00
Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access
Manager administration tasks.
v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer
Reference, SC23-6514-00
Provides reference information about using the Java™ language implementation
of the administration API to enable an application to perform Tivoli Access
Manager administration tasks.
v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference,
SC23-6515-00
Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager
security.
v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer
Reference, SC23-6516-00
Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager
security.
v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517-00
Provides programming and reference information for developing authentication
modules.
Provides problem determination information for Tivoli Access Manager.
v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157-00
Provides explanations and recommended actions for the messages and return
code that are generated by Tivoli Access Manager.
Performance tuning documentation v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518-00
Provides performance tuning information for an environment consisting of Tivoli
Access Manager with the IBM Tivoli Directory Server as the user registry.
Related products and publications
This section lists the IBM products that are related to and included with a Tivoli
Access Manager solution.
IBM Global Security Kit Tivoli Access Manager provides data encryption through the use of the Global
Security Kit (GSKit) version 7.0. GSKit is included on the IBM Tivoli Access Manager
Base CD for your particular platform, as well as on the IBM Tivoli Access Manager
Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs,
and the IBM Tivoli Access Manager Directory Server CDs.
The GSKit package provides the iKeyman key management utility, gsk7ikm, which
is used to create key databases, public-private key pairs, and certificate requests.
The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User’s
Guide is available on the Tivoli Information Center Web site in the same section as
the Tivoli Access Manager product documentation.
IBM Tivoli Directory Server IBM Tivoli Directory Server version 6.1 is included on the IBM Tivoli Access
Manager Directory Server set of CDs for the desired operating system.
Additional information about Tivoli Directory Server can be found at the following
Web address:
http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator version 6.1.1 is included on the IBM Tivoli
Directory Integrator CD for the desired operating system.
About this
Additional information about IBM Tivoli Directory Integrator can be found at the
following Web address:
http://www-306.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database IBM DB2 Universal Database™ Enterprise Server Edition version 9.1 is provided on
the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the
Tivoli Directory Server software. DB2® is required when using Tivoli Directory
Server or z/OS® LDAP servers as the user registry for Tivoli Access Manager. For
z/OS LDAP servers, you must separately purchase DB2.
Additional information about DB2 can be found at the following Web address:
http://www.ibm.com/software/data/db2
IBM WebSphere Application Server WebSphere Application Server version 6.1 is included on the IBM Tivoli Access
Manager WebSphere Application Server set of CDs for the desired operating system.
WebSphere Application Server enables the support of the Web Portal Manager
interface, which is used to administer Tivoli Access Manager; the Web
Administration Tool, which is used to administer Tivoli Directory Server; the
Common Auditing and Reporting Service, which is used to process and report on
audit events; the session management server, which is used to managed shared
session in a Web security server environment and the Attribute Retrieval Service.
Additional information about WebSphere Application Server can be found at the
following Web address:
Accessing terminology online
The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at the following
Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:
Accessing publications online
The Tivoli Software Library provides a variety of Tivoli publications such as white
papers, data sheets, demonstrations, Redbooks™, and announcement letters. The
publications for this product and many other Tivoli products are available online
in Portable Document Format (PDF) or Hypertext Markup Language (HTML)
format, or both in the Tivoli software library at the following Web address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
To locate product publications in the library, click the first letter of the product
name or scroll until you find the product name. Then click the name of the
xxxiv WebSEAL Administration
Note: To ensure proper printing of PDF publications, select the
Fit
to
page check
box in the Adobe Acrobat Print window (which is available when you click
File → Print).
Ordering publications
You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative, perform
the following steps:
Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Tivoli technical training
For Tivoli technical training information, refer to the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/software/ supportand follow the instructions.
IBM
Support
Assistant
The IBM Support Assistant (ISA) is a free local software serviceability
workbench that helps you resolve questions and problems with IBM
software products. The ISA provides quick access to support-related
information and serviceability tools for problem determination. To install
the ISA software, go to http://www.ibm.com/software/support/isa.
Problem Determination Guide
For more information about resolving problems, see the IBM Tivoli Access
Manager for e-business: Problem Determination Guide.
This publication uses several conventions for special terms and actions, operating
system-dependent commands and paths, and margin graphics.
Typeface conventions
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as
Italic
v Citations (examples: titles of publications, diskettes, and CDs
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause."; letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents....
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths
This publication uses the UNIX convention for specifying environment variables
and for directory notation.
When using the Windows command line, replace $variable with % variable% for
environment variables and replace each forward slash ( / ) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
the Windows and UNIX environments. For example, %TEMP% in Windows
environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
overview . . . . . . . . . . . . . . . 3
Tivoli Access Manager security model . . . . . . 6
Security model
policies (POPs) . . . . . . . . . . . . 7 Access control list (ACL) policies . . . . . . 8 Protected object policies (POPs) . . . . . . . 8
Explicit and inherited policy . . . . . . . . 9
Policy administration: The Web Portal Manager . 9
Web space protection
Replicated front-end WebSEAL servers . . . . 17
Junctioned back-end servers . . . . . . . . 17 Replicated back-end servers . . . . . . . . 18
Chapter 2. Server administration . . . . . . 21
Server operation . . . . . . . . . . . . . 22
Restarting the WebSEAL server . . . . . . . 23 Displaying WebSEAL server status . . . . . 23
Backup and restore . . . . . . . . . . . . 24 The pdbackup utility . . . . . . . . . . 24 Backing up WebSEAL data . . . . . . . . 24 Restoring WebSEAL data . . . . . . . . . 25
Extracting archived
Common Auditing and Reporting Services
(CARS) . . . . . . . . . . . . . . . 28
Problem determination
Notes on configuration data log file growth . 29
Configuration data log file format . . . . . 30 Messages relating to the configuration data
log file . . . . . . . . . . . . . . 31
Chapter 1. IBM Tivoli Access Manager WebSEAL overview
IBM®Tivoli®Access Manager for e-business (Tivoli Access Manager) is a robust and
secure centralized policy management solution for e-business and distributed
applications.
IBM Tivoli Access Manager WebSEAL is a high performance, multi-threaded Web
server that applies fine-grained security policy to the Tivoli Access Manager
protected Web object space. WebSEAL can provide single signon solutions and
incorporate back-end Web application server resources into its security policy.
This overview chapter introduces you to the main capabilities of the WebSEAL
server.
v “WebSEAL introduction” on page 5
v “Tivoli Access Manager security model” on page 6
v “Web space protection” on page 10
v “Security policy planning and implementation” on page 12
v “WebSEAL authentication ” on page 14
v “Standard WebSEAL junctions ” on page 15
v “Web space scalability ” on page 17
Tivoli Access Manager introduction
IBM Tivoli Access Manager is a complete authorization and network security
policy management solution that provides end-to-end protection of resources over
geographically dispersed intranets and extranets.
In addition to its state-of-the-art security policy management feature, Tivoli Access
Manager provides authentication, authorization, data security, and centralized
resource management capabilities. You use Tivoli Access Manager in conjunction
with standard Internet-based applications to build highly secure and well-managed
intranets.
v Authentication framework
Tivoli Access Manager provides a wide range of built-in authenticators and
supports external authenticators.
v Authorization framework
The Tivoli Access Manager authorization service, accessed through the Tivoli
Access Manager authorization API, provides permit and deny decisions on
requests for protected resources located in the secure domain.
With Tivoli Access Manager, businesses can securely manage access to private
internal network-based resources while leveraging the public Internet’s broad
connectivity and ease of use. Tivoli Access Manager, in combination with a
corporate firewall system, can fully protect the Enterprise intranet from
unauthorized access and intrusion.
WebSEAL introduction
IBM Tivoli Access Manager WebSEAL is the resource manager responsible for
managing and protecting Web-based information and resources.
WebSEAL is a high performance, multi-threaded Web server that applies
fine-grained security policy to resources in the Tivoli Access Manager protected
Web object space. WebSEAL can provide single signon solutions and incorporate
back-end Web application server resources into its security policy.
WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPS
requests from a Web browser and delivering content from its own Web server or
from junctioned back-end Web application servers. Requests passing through
WebSEAL are evaluated by the Tivoli Access Manager authorization service to
determine whether the user is authorized to access the requested resource.
WebSEAL provides the following features:
v Supports multiple authentication methods.
Both built-in and plug-in architectures allow flexibility in supporting a variety of authentication mechanisms.
v Integrates Tivoli Access Manager authorization service.
v Accepts HTTP and HTTPS requests.
v Integrates and protects back-end server resources through WebSEAL junction
technology.
Provides unified view of combined protected object space.
v Manages fine-grained access control for the local and back-end server resources.
Supported resources include URLs, URL-based regular expressions, CGI
programs, HTML files, Java servlets, and Java class files.
v Performs as a reverse Web proxy.
WebSEAL appears as a Web server to clients and appears as a Web browser to
the junctioned back-end servers it is protecting.
v Provides single signon capabilities.
This section contains the following topics:
v “Security model concepts” on page 6
v “The protected object space ” on page 6
v “Access control lists (ACLs) and protected object policies (POPs)” on page 7
v “Access control list (ACL) policies” on page 8
v “Protected object policies (POPs) ” on page 8
v “Explicit and inherited policy ” on page 9
v “Policy administration: The Web Portal Manager ” on page 9
Security model concepts
The security policy for a Tivoli Access Manager secure domain is governed and
maintained by two key security structures:
v User registry
The user registry (such as IBM Tivoli Directory Server, Lotus Domino, or
Microsoft Active Directory) contains all users and groups who are allowed to
participate in the Tivoli Access Manager environment (know as the secure
domain).
v Master authorization (policy) database
The authorization database contains a representation of all resources in the
domain (the protected object space). The security administrator can dictate any
level of security by applying rules, known as access control list (ACL) policies
and protected object policies (POPs), to those resources requiring protection.
The process of authentication proves the identity of a user to WebSEAL. A user can
participate in the secure domain as authenticated or unauthenticated. Only users
with an account in the user registry can become authenticated users. Using ACLs
and POPs, the security administrator can make certain resources publicly available
to unauthenticated users. Other resources can be made available only to certain
authenticated users.
When a user successfully authenticates to WebSEAL, a set of identification
information—known as a credential—is created for that user. The credential
contains the user identity, any group memberships, and any special (″extended″) security attributes.
A credential is required for the user to fully participate in the secure domain. The
Tivoli Access Manager authorization service enforces security policies by
comparing a user’s authentication credentials with the policy permissions assigned
to the requested resource. The resulting recommendation is passed to the resource
manager (for example, WebSEAL), which completes the response to the original
request.
The protected object space is a hierarchical representation of resources belonging to
a Tivoli Access Manager secure domain. The virtual objects that appear in the
object space represent the actual physical network resources, as specified below:
v
System
resource – the actual physical file or application.
v Protected object – the logical representation of an actual system resource used
by the authorization service, the Web Portal Manager, and other Tivoli Access
Manager management utilities.
Policies can be attached to objects in the object space to provide protection of the
resource. The authorization service makes authorization decisions based these
policies.
The combined installation of Tivoli Access Manager base and Tivoli Access
Manager WebSEAL provides the following object space categories:
v Web objects
Web objects represent any resource that can be addressed by an HTTP URL. This
includes static Web pages and dynamic URLs that are converted to database
queries or some other type of application. The WebSEAL server is responsible
for protecting Web objects.
Management objects represent the management activities that can be performed
through the Web Portal Manager. The objects represent the tasks necessary to
define users and set security policy. Tivoli Access Manager supports delegation
of management activities and can restrict an administrator’s ability to set
security policy to a subset of the object space.
v User-defined objects
protected by applications that access the authorization service through the Tivoli
Access Manager authorization API.
(POPs)
Security administrators protect Tivoli Access Manager system resources by defining
rules, known as ACL and POP policies, and applying these policies to the object
representations of those resources in the protected object space.
The Tivoli Access Manager authorization service performs authorization decisions
based on the policies applied to these objects. When a requested operation on a
protected object is permitted, the application responsible for the resource
implements this operation.
One policy can dictate the protection parameters of many objects. Any change to
the rule affects all objects to which the ACL or POP is attached.
Management Objects
Web Objects
User-Defined Objects
Access control list (ACL) policies
An access control list policy, or ACL policy, is the set of rules (permissions) that
specifies the conditions necessary to perform certain operations on that resource.
ACL policy definitions are important components of the security policy established
for the secure domain. ACL policies, like all policies, are used to stamp an
organization’s security requirements onto the resources represented in the
protected object space.
1. What operations can be performed on the resource
2. Who can perform these operations
An ACL policy is made up of one or more entries that include user and group
designations and their specific permissions or rights. An ACL can also contain
rules that apply to unauthenticated users.
Protected object policies (POPs)
ACL policies provide the authorization service with information to make a ″yes″ or
″no″ answer on a request to access a protected object and perform some operation
on that object.
Protected object policies (POPs) contain additional conditions on the request that
are passed back to Tivoli Access Manager and the resource manager (such as
WebSEAL) along with the ″yes″ ACL policy decision from the authorization
service. It is the responsibility of Tivoli Access Manager and the resource manager
to enforce the POP conditions.
The following tables list the available attributes for a POP:
Enforced by Tivoli Access Manager
POP Attribute Description
argument in the pdadmin pop commands.
Description Descriptive
the pop show command.
Warning Mode Provides administrators a means to test ACL and POP
policies.
denied access, errors.
Time-of-Day Access Day and time restrictions for successful access to the
protected object.
POP Attribute Description
Quality of Protection Specifies the degree of data protection: none, integrity,
privacy.
members of
Explicit and inherited policy
Policy can be explicitly applied or inherited. The Tivoli Access Manager protected
object space supports inheritance of ACL and POP attributes. Inheritance is an
important management feature for the security administrator. The administrator
needs to apply explicit policies only at points in the hierarchy where the rules
must change.
Policy administration: The Web Portal Manager The Web Portal Manager is a Web-based graphical application used to manage
security policy in a Tivoli Access Manager secure domain. The pdadmin command
line utility provides the same administration capabilities as the Web Portal
Manager, plus some commands not supported by the Web Portal Manager.
From the Web Portal Manager (or pdadmin), you can manage the user registry, the
master authorization policy database, and the Tivoli Access Manager servers. You
can also add and delete users and groups and apply ACLs and POPs to network
objects.
Web space protection
When WebSEAL enforces security in a secure domain, each user must provide
proof of its identity. In turn, Tivoli Access Manager security policy determines
whether that user is permitted to perform an operation on a requested resource.
Because access to every Web resource in a secure domain is controlled by
WebSEAL, WebSEAL’s requirements for authentication and authorization can
provide comprehensive network security.
In security systems, authorization is distinct from authentication. Authorization
determines whether an authenticated user has the right to perform an operation on
a specific resource in a secure domain. Authentication can validate the identity of a
user, but says nothing about the user’s right to perform operations on a protected
resource.
In the Tivoli Access Manager authorization model, authorization policy is
implemented independently of the mechanism used for user authentication. Users
can authenticate their identity using either public and private key, secret key, or
customer-defined mechanisms.
Part of the authentication process involves the creation of a credential that
describes the identity of the user. Authorization decisions made by an
authorization service are based on user credentials.
The resources in a secure domain receive a level of protection as dictated by the
security policy for the domain. The security policy defines the legitimate
participants of the secure domain and the degree of protection surrounding each
resource that is being protected.
The authorization process consists of the following basic components:
v A resource manager is responsible for implementing the requested operation
when authorization is granted. WebSEAL is a resource manager.
A component of the resource manager is a policy enforcer that directs the
request to the authorization service for processing.
Note: Traditional applications bundle the policy enforcer and resource manager
into one process. Examples of this structure include WebSEAL and
third-party applications.
v An authorization service performs the decision-making action on the request.
The following diagram illustrates the complete authorization process:
10 WebSEAL Administration
1. A request for a resource from an authenticated user is directed to the resource
manager and intercepted by the policy enforcer process.
The resource manager can be WebSEAL (for HTTP, HTTPS access) or a
third-party application.
2. The policy enforcer process uses the Tivoli Access Manager authorization API
to call the authorization service for an authorization decision.
3. The authorization service performs an authorization check on the resource,
represented as an object in the protected object space.
a. Tivoli Access Manager POPs are checked first.
b. Next the ACL policy attached to the object is checked against the client’s
credentials.
c. Finally, POPs enforced by the resource manager are checked.
4. The decision to accept or deny the request is returned as a recommendation to
the resource manager (through the policy enforcer).
5. If the request is finally approved, the resource manager passes the request on to
the application responsible for the resource.
5. Authorized operation
A corporate security policy for Web resources identifies:
v The Web resources requiring protection.
v The level of protection.
Tivoli Access Manager uses a virtual representation of these Web resources, called
the protected object space. The protected object space contains objects that
represent actual physical resources in your network.
You implement security policy by applying the appropriate security mechanisms to
the objects requiring protection.
v
Access
control
list
(ACL)
policies
ACL policies identify user types that can be considered for access and specify
the operations permitted on the object.
v
Protected
object
policies
(POPs)
A POP specifies additional conditions governing the access to the protected
object, such as privacy, integrity, auditing, and time-of-day access.
v Extended attributes
Extended attributes are additional values placed on an object, ACL, or POP that
can be read and interpreted by third-party applications (such as an external
authorization service).
The core component of Tivoli Access Manager is the Tivoli Access Manager
authorization service—which permits or denies access to protected objects
(resources) based on the user’s credentials and the access controls placed on the
objects.
To successfully implement the security policy, you must logically organize the
different content types (as described in “Content types and levels of protection ”
on page 12) and apply the appropriate ACL and POP policies. Access control
management can be very complex and is made much easier by careful
categorization of the content types.
Content types and levels of protection
As the security administrator of your Web space, you must correctly identify the types of content available to a variety of user types. Some content must be highly
protected and available only to specific users; other content is for general public
view. Each security scenario demands different protection requirements and an
associated WebSEAL configuration.
It is your responsibility to:
v Know your Web content
v Identify the types of users requiring access to this content
v Understand the strengths and weaknesses of the available WebSEAL
configuration options for securing this content
Protection of Web content falls into three broad categories:
1. Public content – access requires no protection
v Unauthenticated users can access resources using HTTP.
12 WebSEAL Administration
v An unauthenticated credential is used for access control to resources.
v Basic WebSEAL configuration requirements provide protection.
2. Public content – access requires privacy (encryption)
v Unauthenticated users can access resources using HTTPS.
v Encryption, required by the application server, is used to protect sensitive
data (such as credit card numbers and user account information).
v An unauthenticated credential is used for access control to resources.
v WebSEAL configuration needs to stipulate privacy.
3. Private content – access requires authentication
v Authenticated clients can access resources using HTTP or HTTPS.
v The administrator determines the need for encryption.
v An authenticated credential is used for access control to resources; each user
must have an account defined in the Tivoli Access Manager user registry.
v WebSEAL configuration is complex and all options must be considered
carefully to determine the impact of the security policy.
WebSEAL authentication
Authentication is the method of identifying an individual process or entity that is
attempting to log in to a secure domain. WebSEAL can enforce a high degree of security in a secure domain by requiring each user to provide proof of its identity.
The following conditions apply to the WebSEAL authentication process:
v WebSEAL supports several authentication methods by default and can be
customized to use other methods.
v When both server and client require authentication, the exchange is known as
mutual authentication.
v The WebSEAL server process is independent of the authentication method.
v The result of successful authentication to WebSEAL is a Tivoli Access Manager
user identity.
v WebSEAL uses this identity to build a credential for that user.
v The authorization service uses this credential to permit or deny access to protected
objects after evaluating the ACL permissions and POP conditions governing the
policy for each requested resource.
This flexible approach to authentication allows security policy to be based on
business requirements and not physical network topology.
For a complete overview of WebSEAL authentication concepts, see Chapter 6,
“Authentication overview,” on page 135.
14 WebSEAL Administration
Tivoli Access Manager provides authentication, authorization, and management
services for a network. In a Web-based network, these services are best provided
by one or more front-end WebSEAL servers that integrate and protect Web
resources and applications located on back-end Web servers.
The connection between a WebSEAL server and a back-end Web application server
is known as a standard WebSEAL junction. A WebSEAL junction is a TCP/IP
connection between a front-end WebSEAL server and a back-end server.
Note: WebSEAL also supports virtual hosting through another form of junctions
called virtual host junctions.
The back-end server can be another WebSEAL server or, more commonly, a
third-party Web application server. The back-end server Web space is ″connected″
to the WebSEAL server at a specially designated junction (mount) point in the
WebSEAL Web space.
A junction allows WebSEAL to provide protective services on behalf of the
back-end server. WebSEAL can perform authentication and authorization checks on
all requests before passing those requests on to the back-end server. If the back-end
server requires fine-grained access control on its objects, you must perform
additional configuration steps (using the query_contents CGI program) to describe
the third-party Web space to the Tivoli Access Manager security service.
Junctions provide a scalable, secure environment that allows load balancing, high
availability, and state management capabilities—all performed transparently to
clients. As an administrator, you can benefit from this centralized management of the Web space.
WebSEAL junctions provide the added value of logically combining the Web space
of a back-end server with the Web space of the WebSEAL server. Junctions between
cooperating servers result in a single, unified, distributed Web space that is
seamless and transparent to users.
The client never needs to know the physical location of a Web resource. WebSEAL
translates logical URL addresses into the physical addresses that a back-end server
expects. Web objects can be moved from server to server without affecting the way
the client accesses those objects.
Client
A unified Web space simplifies the management of all resources for the system
administrator. Additional administrative benefits include scalability, load balancing,
and high availability.
Most commercial Web servers do not have the ability to define a logical Web object
space. Instead, their access control is connected to the physical file and directory
structure. WebSEAL junctions can transparently define an object space that reflects
organizational structure rather than the physical machine and directory structure
commonly encountered on standard Web servers.
WebSEAL junctions also allow you to create single signon solutions. A single
signon configuration allows a user to access a resource, regardless of the resource’s
location, using only one initial login. Any further login requirements from
back-end servers are handled transparently to the user.
WebSEAL junctions are an important tool for making your Web site scalable.
Junctions allow you to respond to increasing demands on a Web site by attaching
additional servers.
/ junction-point
Web space scalability
WebSEAL junctions are used to create a scalable Web space. As the demands on
the Web space grow, more servers can easily be added to expand the capabilities of the site.
Additional servers can be added for the following reasons:
v To extend the Web space with additional content.
v To duplicate existing content for load balancing, failover capability, and high
availability.
Replicated front-end WebSEAL servers
Junction support for back-end servers starts with at least one front-end WebSEAL
server. Replicated front-end WebSEAL servers provide the site with load balancing
during periods of heavy demand. The load balancing process is handled by a
third-party device such as IBM Network Dispatcher or Cisco Local Director.
Front-end replication also provides the site with fail-over capability—if a server
fails for some reason, the remaining replica servers will continue to provide access
to the site. Successful load balancing and failover capability results in high
availability for users of the site.
When you replicate front-end WebSEAL servers, each server must contain an exact
copy of the Web space and the junction database.
Account information for authentication is located in a user registry that is
independent of the front-end servers.
Junctioned back-end servers
Web site content can be served by the WebSEAL server itself, back-end servers, or
a combination of both. WebSEAL junction support for back-end servers allows you
to scale the Web site through additional content and resources.
Each unique back-end server must be junctioned to a separate junction (mount)
point. As the demand for additional content grows, more servers can be added
through junctions. This scenario provides a solution for networks that have a large
existing investment in third-party Web servers.&n
WebSEAL Administration Guide
and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright International Business Machines Corporation 2002, 2008. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM
server task throttle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
server task virtualhost delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 998 server
task
virtualhost
list
Appendix D. Support information . . . . . . . . . . . . . . . . . . . . . . . 1013 Searching knowledge bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Searching information centers . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Determining the business impact . . . . . . . . . . . . . . . . . . . . . . . . . . 1015 Describing problems and gathering information . . . . . . . . . . . . . . . . . . . . . 1016
Submitting problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
About this publication
Welcome to the IBM® Tivoli® Access Manager for e-business WebSEAL Administration
Guide.
IBM Tivoli Access Manager WebSEAL is the resource manager for Web-based
resources in a Tivoli Access Manager secure domain. WebSEAL is a high
performance, multi-threaded Web server that applies fine-grained security policy to
the protected Web object space. WebSEAL can provide single signon solutions and
incorporate back-end Web application server resources into its security policy.
This administration guide provides a comprehensive set of procedures and
reference information for managing the resources of your secure Web domain. This
guide also provides you with valuable background and concept information for the
wide range of WebSEAL functionality.
IBM® Tivoli® Access Manager is the base software that is required to run applications in the Tivoli Access Manager product suite. This base software enables
the integration of Tivoli Access Manager applications to provide a wide range of authorization and management solutions. Sold as integrated products, these
applications can provide an access control management solution to centralize
network and application security policy for e-business applications.
Intended audience
This guide is for system administrators responsible for configuring and
maintaining a Tivoli Access Manager WebSEAL environment.
Readers should be familiar with the following:
v PC and UNIX® or Linux® operating systems
v Database architecture and concepts
v Security management
v Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and
Telnet
v A supported user registry
v Authentication and authorization
If you are enabling Secure Sockets Layer (SSL) communication, you also should be
familiar with SSL protocol, key exchange (public and private), digital signatures,
cryptographic algorithms, and certificate authorities.
What this publication contains
Part
1:
Administration
v Chapter 1, “IBM Tivoli Access Manager WebSEAL overview,” on page 3
v Chapter 2, “Server administration,” on page 21
Part
2:
Configuration
© Copyright
IBM
Corp.
2002,
2008
xxix
v Chapter 4, “Web server response configuration,” on page 79
v Chapter 5, “Web server security configuration,” on page 111
Part
3:
Authentication
v Chapter 8, “Advanced authentication methods,” on page 179
v Chapter 9, “Post-authentication processing,” on page 215
v Chapter 10, “Password processing,” on page 223
v Chapter 11, “Credential processing,” on page 235
v Chapter 12, “External authentication interface,” on page 249
Part 4: Session State
v Chapter 15, “Failover solutions,” on page 285
v Chapter 16, “Session state in non-clustered environments,” on page 311
Part 5: Session Management Server
v Chapter 17, “Session management server (SMS) overview,” on page 327
v Chapter 18, “Quickstart guide for WebSEAL using SMS,” on page 333
v Chapter 19, “Configuration for WebSEAL using SMS,” on page 339
Part 6: Authorization
v Chapter 21, “Key management,” on page 375
Part 7: Standard WebSEAL Junctions
v Chapter 22, “Standard WebSEAL junctions,” on page 389
v Chapter 23, “Advanced junction configuration,” on page 411
v Chapter 24, “Modifying URLs to junctioned resources,” on page 441
v Chapter 25, “Command option summary: Standard junctions,” on page 467
Part 8: Virtual Hosting
v Chapter 26, “Virtual host junctions,” on page 481
v Chapter 27, “Command option summary: Virtual host junctions,” on page 507
Part 9: Single Signon Solutions
v Chapter 28, “Single signon solutions across junctions,” on page 519
v Chapter 29, “Windows desktop single signon,” on page 547
v Chapter 30, “Cross-domain single signon,” on page 565
v Chapter 31, “E-community single signon,” on page 581
Part
10:
Deployment
v Chapter 33, “Application integration,” on page 623
v Chapter 34, “Dynamic URLs,” on page 641
v Chapter 35, “Attribute retrieval service reference,” on page 655
v Chapter 36, “Authorization decision information retrieval,” on page 665
Appendix
v Appendix A, “Guidelines for changing configuring files,” on page 675
v Appendix B, “Stanza reference,” on page 679
v Appendix C, “Command reference,” on page 943
Publications
This section lists publications in the IBM Tivoli Access Manager for e-business
library and related documents. The section also describes how to access Tivoli
publications online and how to order Tivoli publications.
IBM Tivoli Access Manager for e-business library
Review the descriptions of the Tivoli Access Manager library, the prerequisite
publications, and the related publications to determine which publications you
might find helpful. After you determine the publications you need, refer to the
instructions for accessing publications online.
Additional information about the Tivoli Access Manager for e-business product
itself can be found at the following Web address:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus
The Tivoli Access Manager library is organized into the following categories:
v “Release information”
v “Administration documentation”
v “Problem determination documentation” on page xxxiii
v “Performance tuning documentation” on page xxxiii
Release information v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501-00
Provides information about installing and getting started, system requirements, known installation and configuration problems, and problem workarounds.
Installation and upgrade documentation v
IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502-00
Explains how to install and configure Tivoli Access Manager for e-business.
v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503-00
Explains how to upgrade to Tivoli Access Manager for e-business version 6.1.
v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-8174-00
Provides a high-level overview of a Tivoli Access Manager for e-business version
6.1 installation.
About this
Describes the concepts and procedures for using Tivoli Access Manager. Provides
instructions for performing tasks from the Web Portal Manager interface and by
using the pdadmin utility.
v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide,
SC23-6505-00
Provides background material, administrative procedures, and technical
reference information for using WebSEAL to manage the resources of your
secure Web domain.
v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration
Guide, SC23-6506-00
the IBM WebSphere® Edge Server application.
v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers Administration
Guide, SC23-6507-00
securing your Web domain using a Web server plug-in.
v IBM Tivoli Access Manager for e-business: Shared Session Management Administration
Guide, SC23-6509-00
management server.
v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User’s Guide, SC23-6510-00
Provides information for network or system security administrators who plan to
enable SSL communication in their Tivoli Access Manager environment.
v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511-00
Provides information about configuring and managing audit events using the
native Tivoli Access Manager approach and the Common Auditing and
Reporting Service. Information about installing and configuring the Common Auditing and Reporting Service that can be used for generating and viewing
operational reports is also provided.
Reference documentation v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512-00
Provides reference information about the commands, utilities, and scripts that
are provided with Tivoli Access Manager.
v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference, SC23-6513-00
Provides reference information about using the C language implementation of the administration API to enable an application to perform Tivoli Access
Manager administration tasks.
v IBM Tivoli Access Manager for e-business: Administration Java Classes Developer
Reference, SC23-6514-00
Provides reference information about using the Java™ language implementation
of the administration API to enable an application to perform Tivoli Access
Manager administration tasks.
v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference,
SC23-6515-00
Provides reference information about using the C language implementation of the authorization API to enable an application to use Tivoli Access Manager
security.
v IBM Tivoli Access Manager for e-business: Authorization Java Classes Developer
Reference, SC23-6516-00
Provides reference information about using the Java language implementation of the authorization API to enable an application to use Tivoli Access Manager
security.
v IBM Tivoli Access Manager for e-business: Web Security Developer Reference, SC23-6517-00
Provides programming and reference information for developing authentication
modules.
Provides problem determination information for Tivoli Access Manager.
v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157-00
Provides explanations and recommended actions for the messages and return
code that are generated by Tivoli Access Manager.
Performance tuning documentation v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518-00
Provides performance tuning information for an environment consisting of Tivoli
Access Manager with the IBM Tivoli Directory Server as the user registry.
Related products and publications
This section lists the IBM products that are related to and included with a Tivoli
Access Manager solution.
IBM Global Security Kit Tivoli Access Manager provides data encryption through the use of the Global
Security Kit (GSKit) version 7.0. GSKit is included on the IBM Tivoli Access Manager
Base CD for your particular platform, as well as on the IBM Tivoli Access Manager
Web Security CDs, the IBM Tivoli Access Manager Shared Session Management CDs,
and the IBM Tivoli Access Manager Directory Server CDs.
The GSKit package provides the iKeyman key management utility, gsk7ikm, which
is used to create key databases, public-private key pairs, and certificate requests.
The IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User’s
Guide is available on the Tivoli Information Center Web site in the same section as
the Tivoli Access Manager product documentation.
IBM Tivoli Directory Server IBM Tivoli Directory Server version 6.1 is included on the IBM Tivoli Access
Manager Directory Server set of CDs for the desired operating system.
Additional information about Tivoli Directory Server can be found at the following
Web address:
http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator version 6.1.1 is included on the IBM Tivoli
Directory Integrator CD for the desired operating system.
About this
Additional information about IBM Tivoli Directory Integrator can be found at the
following Web address:
http://www-306.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database IBM DB2 Universal Database™ Enterprise Server Edition version 9.1 is provided on
the IBM Tivoli Access Manager Directory Server set of CDs and is installed with the
Tivoli Directory Server software. DB2® is required when using Tivoli Directory
Server or z/OS® LDAP servers as the user registry for Tivoli Access Manager. For
z/OS LDAP servers, you must separately purchase DB2.
Additional information about DB2 can be found at the following Web address:
http://www.ibm.com/software/data/db2
IBM WebSphere Application Server WebSphere Application Server version 6.1 is included on the IBM Tivoli Access
Manager WebSphere Application Server set of CDs for the desired operating system.
WebSphere Application Server enables the support of the Web Portal Manager
interface, which is used to administer Tivoli Access Manager; the Web
Administration Tool, which is used to administer Tivoli Directory Server; the
Common Auditing and Reporting Service, which is used to process and report on
audit events; the session management server, which is used to managed shared
session in a Web security server environment and the Attribute Retrieval Service.
Additional information about WebSphere Application Server can be found at the
following Web address:
Accessing terminology online
The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at the following
Tivoli software library Web site:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:
Accessing publications online
The Tivoli Software Library provides a variety of Tivoli publications such as white
papers, data sheets, demonstrations, Redbooks™, and announcement letters. The
publications for this product and many other Tivoli products are available online
in Portable Document Format (PDF) or Hypertext Markup Language (HTML)
format, or both in the Tivoli software library at the following Web address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
To locate product publications in the library, click the first letter of the product
name or scroll until you find the product name. Then click the name of the
xxxiv WebSEAL Administration
Note: To ensure proper printing of PDF publications, select the
Fit
to
page check
box in the Adobe Acrobat Print window (which is available when you click
File → Print).
Ordering publications
You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.
You can also order by telephone by calling one of these numbers:
v In the United States: 800-879-2755
v In Canada: 800-426-4968
In other countries, contact your software account representative to order Tivoli
publications. To locate the telephone number of your local representative, perform
the following steps:
Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Tivoli technical training
For Tivoli technical training information, refer to the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
Online
Go to the IBM Software Support site at http://www.ibm.com/software/ supportand follow the instructions.
IBM
Support
Assistant
The IBM Support Assistant (ISA) is a free local software serviceability
workbench that helps you resolve questions and problems with IBM
software products. The ISA provides quick access to support-related
information and serviceability tools for problem determination. To install
the ISA software, go to http://www.ibm.com/software/support/isa.
Problem Determination Guide
For more information about resolving problems, see the IBM Tivoli Access
Manager for e-business: Problem Determination Guide.
This publication uses several conventions for special terms and actions, operating
system-dependent commands and paths, and margin graphics.
Typeface conventions
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as
Italic
v Citations (examples: titles of publications, diskettes, and CDs
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause."; letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents....
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system-dependent variables and paths
This publication uses the UNIX convention for specifying environment variables
and for directory notation.
When using the Windows command line, replace $variable with % variable% for
environment variables and replace each forward slash ( / ) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
the Windows and UNIX environments. For example, %TEMP% in Windows
environments is equivalent to $TMPDIR in UNIX environments.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
overview . . . . . . . . . . . . . . . 3
Tivoli Access Manager security model . . . . . . 6
Security model
policies (POPs) . . . . . . . . . . . . 7 Access control list (ACL) policies . . . . . . 8 Protected object policies (POPs) . . . . . . . 8
Explicit and inherited policy . . . . . . . . 9
Policy administration: The Web Portal Manager . 9
Web space protection
Replicated front-end WebSEAL servers . . . . 17
Junctioned back-end servers . . . . . . . . 17 Replicated back-end servers . . . . . . . . 18
Chapter 2. Server administration . . . . . . 21
Server operation . . . . . . . . . . . . . 22
Restarting the WebSEAL server . . . . . . . 23 Displaying WebSEAL server status . . . . . 23
Backup and restore . . . . . . . . . . . . 24 The pdbackup utility . . . . . . . . . . 24 Backing up WebSEAL data . . . . . . . . 24 Restoring WebSEAL data . . . . . . . . . 25
Extracting archived
Common Auditing and Reporting Services
(CARS) . . . . . . . . . . . . . . . 28
Problem determination
Notes on configuration data log file growth . 29
Configuration data log file format . . . . . 30 Messages relating to the configuration data
log file . . . . . . . . . . . . . . 31
Chapter 1. IBM Tivoli Access Manager WebSEAL overview
IBM®Tivoli®Access Manager for e-business (Tivoli Access Manager) is a robust and
secure centralized policy management solution for e-business and distributed
applications.
IBM Tivoli Access Manager WebSEAL is a high performance, multi-threaded Web
server that applies fine-grained security policy to the Tivoli Access Manager
protected Web object space. WebSEAL can provide single signon solutions and
incorporate back-end Web application server resources into its security policy.
This overview chapter introduces you to the main capabilities of the WebSEAL
server.
v “WebSEAL introduction” on page 5
v “Tivoli Access Manager security model” on page 6
v “Web space protection” on page 10
v “Security policy planning and implementation” on page 12
v “WebSEAL authentication ” on page 14
v “Standard WebSEAL junctions ” on page 15
v “Web space scalability ” on page 17
Tivoli Access Manager introduction
IBM Tivoli Access Manager is a complete authorization and network security
policy management solution that provides end-to-end protection of resources over
geographically dispersed intranets and extranets.
In addition to its state-of-the-art security policy management feature, Tivoli Access
Manager provides authentication, authorization, data security, and centralized
resource management capabilities. You use Tivoli Access Manager in conjunction
with standard Internet-based applications to build highly secure and well-managed
intranets.
v Authentication framework
Tivoli Access Manager provides a wide range of built-in authenticators and
supports external authenticators.
v Authorization framework
The Tivoli Access Manager authorization service, accessed through the Tivoli
Access Manager authorization API, provides permit and deny decisions on
requests for protected resources located in the secure domain.
With Tivoli Access Manager, businesses can securely manage access to private
internal network-based resources while leveraging the public Internet’s broad
connectivity and ease of use. Tivoli Access Manager, in combination with a
corporate firewall system, can fully protect the Enterprise intranet from
unauthorized access and intrusion.
WebSEAL introduction
IBM Tivoli Access Manager WebSEAL is the resource manager responsible for
managing and protecting Web-based information and resources.
WebSEAL is a high performance, multi-threaded Web server that applies
fine-grained security policy to resources in the Tivoli Access Manager protected
Web object space. WebSEAL can provide single signon solutions and incorporate
back-end Web application server resources into its security policy.
WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPS
requests from a Web browser and delivering content from its own Web server or
from junctioned back-end Web application servers. Requests passing through
WebSEAL are evaluated by the Tivoli Access Manager authorization service to
determine whether the user is authorized to access the requested resource.
WebSEAL provides the following features:
v Supports multiple authentication methods.
Both built-in and plug-in architectures allow flexibility in supporting a variety of authentication mechanisms.
v Integrates Tivoli Access Manager authorization service.
v Accepts HTTP and HTTPS requests.
v Integrates and protects back-end server resources through WebSEAL junction
technology.
Provides unified view of combined protected object space.
v Manages fine-grained access control for the local and back-end server resources.
Supported resources include URLs, URL-based regular expressions, CGI
programs, HTML files, Java servlets, and Java class files.
v Performs as a reverse Web proxy.
WebSEAL appears as a Web server to clients and appears as a Web browser to
the junctioned back-end servers it is protecting.
v Provides single signon capabilities.
This section contains the following topics:
v “Security model concepts” on page 6
v “The protected object space ” on page 6
v “Access control lists (ACLs) and protected object policies (POPs)” on page 7
v “Access control list (ACL) policies” on page 8
v “Protected object policies (POPs) ” on page 8
v “Explicit and inherited policy ” on page 9
v “Policy administration: The Web Portal Manager ” on page 9
Security model concepts
The security policy for a Tivoli Access Manager secure domain is governed and
maintained by two key security structures:
v User registry
The user registry (such as IBM Tivoli Directory Server, Lotus Domino, or
Microsoft Active Directory) contains all users and groups who are allowed to
participate in the Tivoli Access Manager environment (know as the secure
domain).
v Master authorization (policy) database
The authorization database contains a representation of all resources in the
domain (the protected object space). The security administrator can dictate any
level of security by applying rules, known as access control list (ACL) policies
and protected object policies (POPs), to those resources requiring protection.
The process of authentication proves the identity of a user to WebSEAL. A user can
participate in the secure domain as authenticated or unauthenticated. Only users
with an account in the user registry can become authenticated users. Using ACLs
and POPs, the security administrator can make certain resources publicly available
to unauthenticated users. Other resources can be made available only to certain
authenticated users.
When a user successfully authenticates to WebSEAL, a set of identification
information—known as a credential—is created for that user. The credential
contains the user identity, any group memberships, and any special (″extended″) security attributes.
A credential is required for the user to fully participate in the secure domain. The
Tivoli Access Manager authorization service enforces security policies by
comparing a user’s authentication credentials with the policy permissions assigned
to the requested resource. The resulting recommendation is passed to the resource
manager (for example, WebSEAL), which completes the response to the original
request.
The protected object space is a hierarchical representation of resources belonging to
a Tivoli Access Manager secure domain. The virtual objects that appear in the
object space represent the actual physical network resources, as specified below:
v
System
resource – the actual physical file or application.
v Protected object – the logical representation of an actual system resource used
by the authorization service, the Web Portal Manager, and other Tivoli Access
Manager management utilities.
Policies can be attached to objects in the object space to provide protection of the
resource. The authorization service makes authorization decisions based these
policies.
The combined installation of Tivoli Access Manager base and Tivoli Access
Manager WebSEAL provides the following object space categories:
v Web objects
Web objects represent any resource that can be addressed by an HTTP URL. This
includes static Web pages and dynamic URLs that are converted to database
queries or some other type of application. The WebSEAL server is responsible
for protecting Web objects.
Management objects represent the management activities that can be performed
through the Web Portal Manager. The objects represent the tasks necessary to
define users and set security policy. Tivoli Access Manager supports delegation
of management activities and can restrict an administrator’s ability to set
security policy to a subset of the object space.
v User-defined objects
protected by applications that access the authorization service through the Tivoli
Access Manager authorization API.
(POPs)
Security administrators protect Tivoli Access Manager system resources by defining
rules, known as ACL and POP policies, and applying these policies to the object
representations of those resources in the protected object space.
The Tivoli Access Manager authorization service performs authorization decisions
based on the policies applied to these objects. When a requested operation on a
protected object is permitted, the application responsible for the resource
implements this operation.
One policy can dictate the protection parameters of many objects. Any change to
the rule affects all objects to which the ACL or POP is attached.
Management Objects
Web Objects
User-Defined Objects
Access control list (ACL) policies
An access control list policy, or ACL policy, is the set of rules (permissions) that
specifies the conditions necessary to perform certain operations on that resource.
ACL policy definitions are important components of the security policy established
for the secure domain. ACL policies, like all policies, are used to stamp an
organization’s security requirements onto the resources represented in the
protected object space.
1. What operations can be performed on the resource
2. Who can perform these operations
An ACL policy is made up of one or more entries that include user and group
designations and their specific permissions or rights. An ACL can also contain
rules that apply to unauthenticated users.
Protected object policies (POPs)
ACL policies provide the authorization service with information to make a ″yes″ or
″no″ answer on a request to access a protected object and perform some operation
on that object.
Protected object policies (POPs) contain additional conditions on the request that
are passed back to Tivoli Access Manager and the resource manager (such as
WebSEAL) along with the ″yes″ ACL policy decision from the authorization
service. It is the responsibility of Tivoli Access Manager and the resource manager
to enforce the POP conditions.
The following tables list the available attributes for a POP:
Enforced by Tivoli Access Manager
POP Attribute Description
argument in the pdadmin pop commands.
Description Descriptive
the pop show command.
Warning Mode Provides administrators a means to test ACL and POP
policies.
denied access, errors.
Time-of-Day Access Day and time restrictions for successful access to the
protected object.
POP Attribute Description
Quality of Protection Specifies the degree of data protection: none, integrity,
privacy.
members of
Explicit and inherited policy
Policy can be explicitly applied or inherited. The Tivoli Access Manager protected
object space supports inheritance of ACL and POP attributes. Inheritance is an
important management feature for the security administrator. The administrator
needs to apply explicit policies only at points in the hierarchy where the rules
must change.
Policy administration: The Web Portal Manager The Web Portal Manager is a Web-based graphical application used to manage
security policy in a Tivoli Access Manager secure domain. The pdadmin command
line utility provides the same administration capabilities as the Web Portal
Manager, plus some commands not supported by the Web Portal Manager.
From the Web Portal Manager (or pdadmin), you can manage the user registry, the
master authorization policy database, and the Tivoli Access Manager servers. You
can also add and delete users and groups and apply ACLs and POPs to network
objects.
Web space protection
When WebSEAL enforces security in a secure domain, each user must provide
proof of its identity. In turn, Tivoli Access Manager security policy determines
whether that user is permitted to perform an operation on a requested resource.
Because access to every Web resource in a secure domain is controlled by
WebSEAL, WebSEAL’s requirements for authentication and authorization can
provide comprehensive network security.
In security systems, authorization is distinct from authentication. Authorization
determines whether an authenticated user has the right to perform an operation on
a specific resource in a secure domain. Authentication can validate the identity of a
user, but says nothing about the user’s right to perform operations on a protected
resource.
In the Tivoli Access Manager authorization model, authorization policy is
implemented independently of the mechanism used for user authentication. Users
can authenticate their identity using either public and private key, secret key, or
customer-defined mechanisms.
Part of the authentication process involves the creation of a credential that
describes the identity of the user. Authorization decisions made by an
authorization service are based on user credentials.
The resources in a secure domain receive a level of protection as dictated by the
security policy for the domain. The security policy defines the legitimate
participants of the secure domain and the degree of protection surrounding each
resource that is being protected.
The authorization process consists of the following basic components:
v A resource manager is responsible for implementing the requested operation
when authorization is granted. WebSEAL is a resource manager.
A component of the resource manager is a policy enforcer that directs the
request to the authorization service for processing.
Note: Traditional applications bundle the policy enforcer and resource manager
into one process. Examples of this structure include WebSEAL and
third-party applications.
v An authorization service performs the decision-making action on the request.
The following diagram illustrates the complete authorization process:
10 WebSEAL Administration
1. A request for a resource from an authenticated user is directed to the resource
manager and intercepted by the policy enforcer process.
The resource manager can be WebSEAL (for HTTP, HTTPS access) or a
third-party application.
2. The policy enforcer process uses the Tivoli Access Manager authorization API
to call the authorization service for an authorization decision.
3. The authorization service performs an authorization check on the resource,
represented as an object in the protected object space.
a. Tivoli Access Manager POPs are checked first.
b. Next the ACL policy attached to the object is checked against the client’s
credentials.
c. Finally, POPs enforced by the resource manager are checked.
4. The decision to accept or deny the request is returned as a recommendation to
the resource manager (through the policy enforcer).
5. If the request is finally approved, the resource manager passes the request on to
the application responsible for the resource.
5. Authorized operation
A corporate security policy for Web resources identifies:
v The Web resources requiring protection.
v The level of protection.
Tivoli Access Manager uses a virtual representation of these Web resources, called
the protected object space. The protected object space contains objects that
represent actual physical resources in your network.
You implement security policy by applying the appropriate security mechanisms to
the objects requiring protection.
v
Access
control
list
(ACL)
policies
ACL policies identify user types that can be considered for access and specify
the operations permitted on the object.
v
Protected
object
policies
(POPs)
A POP specifies additional conditions governing the access to the protected
object, such as privacy, integrity, auditing, and time-of-day access.
v Extended attributes
Extended attributes are additional values placed on an object, ACL, or POP that
can be read and interpreted by third-party applications (such as an external
authorization service).
The core component of Tivoli Access Manager is the Tivoli Access Manager
authorization service—which permits or denies access to protected objects
(resources) based on the user’s credentials and the access controls placed on the
objects.
To successfully implement the security policy, you must logically organize the
different content types (as described in “Content types and levels of protection ”
on page 12) and apply the appropriate ACL and POP policies. Access control
management can be very complex and is made much easier by careful
categorization of the content types.
Content types and levels of protection
As the security administrator of your Web space, you must correctly identify the types of content available to a variety of user types. Some content must be highly
protected and available only to specific users; other content is for general public
view. Each security scenario demands different protection requirements and an
associated WebSEAL configuration.
It is your responsibility to:
v Know your Web content
v Identify the types of users requiring access to this content
v Understand the strengths and weaknesses of the available WebSEAL
configuration options for securing this content
Protection of Web content falls into three broad categories:
1. Public content – access requires no protection
v Unauthenticated users can access resources using HTTP.
12 WebSEAL Administration
v An unauthenticated credential is used for access control to resources.
v Basic WebSEAL configuration requirements provide protection.
2. Public content – access requires privacy (encryption)
v Unauthenticated users can access resources using HTTPS.
v Encryption, required by the application server, is used to protect sensitive
data (such as credit card numbers and user account information).
v An unauthenticated credential is used for access control to resources.
v WebSEAL configuration needs to stipulate privacy.
3. Private content – access requires authentication
v Authenticated clients can access resources using HTTP or HTTPS.
v The administrator determines the need for encryption.
v An authenticated credential is used for access control to resources; each user
must have an account defined in the Tivoli Access Manager user registry.
v WebSEAL configuration is complex and all options must be considered
carefully to determine the impact of the security policy.
WebSEAL authentication
Authentication is the method of identifying an individual process or entity that is
attempting to log in to a secure domain. WebSEAL can enforce a high degree of security in a secure domain by requiring each user to provide proof of its identity.
The following conditions apply to the WebSEAL authentication process:
v WebSEAL supports several authentication methods by default and can be
customized to use other methods.
v When both server and client require authentication, the exchange is known as
mutual authentication.
v The WebSEAL server process is independent of the authentication method.
v The result of successful authentication to WebSEAL is a Tivoli Access Manager
user identity.
v WebSEAL uses this identity to build a credential for that user.
v The authorization service uses this credential to permit or deny access to protected
objects after evaluating the ACL permissions and POP conditions governing the
policy for each requested resource.
This flexible approach to authentication allows security policy to be based on
business requirements and not physical network topology.
For a complete overview of WebSEAL authentication concepts, see Chapter 6,
“Authentication overview,” on page 135.
14 WebSEAL Administration
Tivoli Access Manager provides authentication, authorization, and management
services for a network. In a Web-based network, these services are best provided
by one or more front-end WebSEAL servers that integrate and protect Web
resources and applications located on back-end Web servers.
The connection between a WebSEAL server and a back-end Web application server
is known as a standard WebSEAL junction. A WebSEAL junction is a TCP/IP
connection between a front-end WebSEAL server and a back-end server.
Note: WebSEAL also supports virtual hosting through another form of junctions
called virtual host junctions.
The back-end server can be another WebSEAL server or, more commonly, a
third-party Web application server. The back-end server Web space is ″connected″
to the WebSEAL server at a specially designated junction (mount) point in the
WebSEAL Web space.
A junction allows WebSEAL to provide protective services on behalf of the
back-end server. WebSEAL can perform authentication and authorization checks on
all requests before passing those requests on to the back-end server. If the back-end
server requires fine-grained access control on its objects, you must perform
additional configuration steps (using the query_contents CGI program) to describe
the third-party Web space to the Tivoli Access Manager security service.
Junctions provide a scalable, secure environment that allows load balancing, high
availability, and state management capabilities—all performed transparently to
clients. As an administrator, you can benefit from this centralized management of the Web space.
WebSEAL junctions provide the added value of logically combining the Web space
of a back-end server with the Web space of the WebSEAL server. Junctions between
cooperating servers result in a single, unified, distributed Web space that is
seamless and transparent to users.
The client never needs to know the physical location of a Web resource. WebSEAL
translates logical URL addresses into the physical addresses that a back-end server
expects. Web objects can be moved from server to server without affecting the way
the client accesses those objects.
Client
A unified Web space simplifies the management of all resources for the system
administrator. Additional administrative benefits include scalability, load balancing,
and high availability.
Most commercial Web servers do not have the ability to define a logical Web object
space. Instead, their access control is connected to the physical file and directory
structure. WebSEAL junctions can transparently define an object space that reflects
organizational structure rather than the physical machine and directory structure
commonly encountered on standard Web servers.
WebSEAL junctions also allow you to create single signon solutions. A single
signon configuration allows a user to access a resource, regardless of the resource’s
location, using only one initial login. Any further login requirements from
back-end servers are handled transparently to the user.
WebSEAL junctions are an important tool for making your Web site scalable.
Junctions allow you to respond to increasing demands on a Web site by attaching
additional servers.
/ junction-point
Web space scalability
WebSEAL junctions are used to create a scalable Web space. As the demands on
the Web space grow, more servers can easily be added to expand the capabilities of the site.
Additional servers can be added for the following reasons:
v To extend the Web space with additional content.
v To duplicate existing content for load balancing, failover capability, and high
availability.
Replicated front-end WebSEAL servers
Junction support for back-end servers starts with at least one front-end WebSEAL
server. Replicated front-end WebSEAL servers provide the site with load balancing
during periods of heavy demand. The load balancing process is handled by a
third-party device such as IBM Network Dispatcher or Cisco Local Director.
Front-end replication also provides the site with fail-over capability—if a server
fails for some reason, the remaining replica servers will continue to provide access
to the site. Successful load balancing and failover capability results in high
availability for users of the site.
When you replicate front-end WebSEAL servers, each server must contain an exact
copy of the Web space and the junction database.
Account information for authentication is located in a user registry that is
independent of the front-end servers.
Junctioned back-end servers
Web site content can be served by the WebSEAL server itself, back-end servers, or
a combination of both. WebSEAL junction support for back-end servers allows you
to scale the Web site through additional content and resources.
Each unique back-end server must be junctioned to a separate junction (mount)
point. As the demand for additional content grows, more servers can be added
through junctions. This scenario provides a solution for networks that have a large
existing investment in third-party Web servers.&n